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Read data from the HTTP request 



Create a hash table (name, value pairs) with parameters for the Filter Engine 
including HTTP headers, Content type, client IP address, HTTP method (GET 
and SET) and the actual data in the request 



Identify if the data has been signed. If not signed, call Filter Engine with the 
hash table 



If signed, URL decode the PKCS#7 message received from the Plug-In and 
insert it into the hash table 



Call the Filter Engine with the hash table 



Process the return value from the Fliter Engine 



If the return value from the Filter Engine indicates that the web application has 
been called, then display the next page 



If the return value from the Filter Engine indicates that the page needs to be 
signed, the state of the Filter Engine is stored in a cookie and the page with the 
Plug-In is displayed 



If the return value from the Filter Engine indicates that the Client Certificate is 
GOOD, then change the State and send a request to Filter Engine to retrieve 
the next page. 



For all other values or exceptions, display error page to the client. 



FIG. 5 



200681 70-0088-002 System and Method for Facilitating Access by Sellers to USSN: 09/657,604 

" rtificate-related and Other Servi 

REPLACEMENT SHEET 



Jackson Brandenburg et al. Certificate-related and Other Services filed Sept 8, 2000 j 





Filter Pnnino ^tarfim Qtanc 


802-/- 


Loads Filter Engine properties from the properties file 


804^- 


Open log files 


806-^ 


Load SSL or Utility Certificates 


808^ 


Load RMI server Policy File 


810 


Load Rules files into the memory 


812—- 


Validate Rules to verify correct formatting 




The Filter Engine Interface is now ready to receive requests 
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Filter Engine Processing Steps 



Receives HTTP Request data and the State from the Servlet 



If the State passed from the Servlet is FE_NEW_REQUEST, the Filter Engine 
compares the request against the signing rules and determines whether the 
request has to be signed or not. It builds the Return Object specified in the 
FE NEW REQUEST State. 



If the State passed in from the Servlet is FE_SIGNED_DATA, then it calls the 
Bank Interface to check the status of the Certificate. After interacting with the 
Identrus network, the Bank Interface returns the status. The status and the data 
in the CMS message are put into a Return Object and sent to the Servlet 



If the State passed from the Servlet is FE_REQUEST_CHECKED, indicating 
the final stage of a signed transaction, the Web Application is called. The 
original page is retrieved from the Web Application and its content is returned to 
the Servlet in a Return Object 



Log all signed request to the event log and all errors to the error log 
All exceptions are returned to the Servlet as part of the Return Object 
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Bank Interface Startup Steps 

1102 v-^ Loads Bank Interface properties from the properties file 

1 104 <*^~ Open log files 

1 1 06 ^ Load SSL or Utility Certificates 

1108 Load RMI server Policy File 

Load cryptographic modules, either software or hardware (Hardware Security 
1 1 10 ^ Module API) as specified in the properties file 

At this stage the Bank Interface is ready to receive service requ est 

Call Bank Interface service manager with the DSMS request that contains the 
name of the service, mode of the service and the message 
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Steps 

Retrieve Relying Customer and Root Certificate from the server 



Retrieve Subscribing Customer and Issuing Participant's Certificate from the 
CMS (Cryptographic Message Syntax) also referred as PKCS#7. 



Verify signature on the CMS message 



Verify signature on the Subscribing Customer's Certificate using the Issuing 
Participant's Certificate 



Verify signature on the Issuing Participant's Certificate using the Identrus Root 
Certificate that belongs to the Relying Participant 



The Validity period is then checked on the two Certificates received against the 
current date 



Retrieve the OCSP responder's URL from the Relying Customer's certificate 

Create an OCSP request for the Subscribing Customer's Certificate signed by 
the Relying Customer. All OCSP requests contain a Service Locator 
Extension, which is set by the Authority Information Access (AIA) extension 
defined in this certificate 



Log the OCSP request to the transaction log 



Create HTTP(S) connection to the OCSP responder and send the OCSP 
request. 



Receive OCSP response from the responder and verify the signature using the 
OCSP Responder's Certificate 



Get the status of the certificate from the Response 



Repeat steps 8 through 1 1 for the Issuing Participant and the Relying 
Participant's OCSP Responder's certificate 



Log the OCSP response to the transaction log 



If the status of all the responses are GOOD return GOOD, else return the status 



Log all signed request to the event log and all errors to the error log 
All exceptions are returned to the client as part of the Return Object 
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Protocol 


1301 


User clicks 'Submit' button on HTML Form in Web Browser 


HTML Ul 


1302 


Web Browser posts form data to SDK Web Server 


HTTP 


1303 


SDK Web Server passes all requests to Servlet. 




IOLM+ 


oerviei passes request to niter Engine. 


RMI 


1305 


Filter Engine creates a Return-to-Browser URL (as a GET with 
paiaiiicicio iui udia^ icpieseniing me aaia ot me original 
POST or GET form posting and returns it along with 
instructions to get the data signed to the Servlet 


RMI 


1306 


Servlet builds a response with 

1. An Applet tag pointing to the Client Interface Applet OR 

2. A call to a browser plug-in and the arguments Return-to- 
Browser URL and the data to sign. 


Servlet 


1307 


SDK Web Server returns the Servlet's response to the Web 
Browser. 


HTTP 


loUo 


Web Browser displays the HTML Page (requests the Applet if 
necessary) 


HTTP 


1309 


Web Browser displays Client Interface Applet or activates the 
plug-in, 

The arguments are the data to sign and possibly a URL 


Browser 


1310 


User clicks button in to approve signing of form data. 


GUI 


1311 


Client Interface (applet or plugin) calls Smart Card API to request 
that the Smart Card sian an SHA-1 ha<;h nf thp fnrm Hata 


Client Interface 


1312 


User enters PIN when driver ask for it. 


OS Dialog 


1313 


Smart Card API returns signed form data to Client Interface. 


Client Interface 


1314 


Client Interface makes a HTTP connection to the SD1(Web 
Server and,submits the signed form data. 


HTTP 


1315 


SDK Web Server passes request to Servlet 


Servlet 


1316 


Servlet passes request to Filter Engine. 


RMI 


1317 


Filter Engine calls Bank Interface with signed data. 


RMI 
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The Bank Interface calls the Open Card API to request that the 
HSM sign an SHA-1 hash of the request to the bank. 
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Open Card API calls HSM OS Driver 


Java Native Call 


\Od\J 


noM US Driver calls HSM to perform signature. 


OS-Level 
Hardware Call 


1322 


HSM OS Driver returns signed request to Open Card API 


Java Native Call 


97 


upen uara ah returns signed request to Bank Interface 


Java Function 
Call 


2028 


Bank Interface calls the relying party's bank. 


Warranty/Status 
Check 


2029 


Relying party's bank calls the issuing party's bank. 


Warranty/OCSP 


1330 


Issuing party's bank returns a signed response to relying 
party's bank. 


Warrantv/OHSP 

v vai i cm uy/v/vor 
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Relying party's bank then calls the root. 


Warranty/OCSP 


1332 


Root returns a signed response to the relying party's bank. 


Warranty/OCSP 


looo 


Relying party's bank returns a signed response to the Bank 
Interface. 


Wa rra ntv/Status 
Check 




Bank Interface validates the signed data and then records the 
transaction in the log. 


File I/O 


1335 


Bank Interface validates the signed data and then stores the 
signed data and the signed response from the relying party's 
bank into the SDK's database. 


JDBC 


1336 


Bank Interface returns an OK or failure result to Filter Engine 


RMI 


1337 


Filter Engine returns failure result to Servlet or passes on initial 
request to App Server. 


RMI 


1338 


Servlet builds response indicating failure for SDK Web Server. 


Servlet 
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SDK Web Server returns servlet response to the browser if 
failure. 


HTTP 
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Web Application's Web Server calls the Web Application 


ISA 
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# 
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Protocol 


1501 


User requests form that will require signing when submitted. 


HTML Ul 


1502 


Web Browser sends request to Web Server. 


HTTP 


1503 


Web server forwards request to Web Application. 


ISA 


1504 


Web Application returns an HTML page for the web server to 
return which references the Client Interface 


ISA 


1505 


Web Server returns the HTML Page to Web Browser. 


HTTP 


1506 


Web Browser requests Client Interface from Web Server. 


HTTP 


1507 


Web Server retrieves Client Interface. 


OS File Svstem 


1508 


Web Server returns Client Interface. 


HTTP 


1509 


User clicks the submit and sign button in the web page. 


HTMI III 


1510 


Wpb Browser ralta Hlipnt Intprfarp 


lsllt?IU Midi dot? 

Technology 


1511 


Client Interface calls Windows PC/SC to have Smart Card sign 
□aia. 


API 


1512 


User enters PIN. 


OS Dialog 


1513 


Windows PC/SC calls Smart Card to sign data. 


OS-Level 
Hardware Call 


1514 


Windows PC/SC returns signed data to Client Interface 


OS API 


1515 


Client Interface returns signed data. 


Client Inerface 
Technology 


1516 


Web Browser posts signed data. 


HTTP 


1517 


Web server passes signed posting to Web Application. 


ISA 


1518 


Integration Code added to the Web Application calls the Bank 
Interface to verify the signature on the form. 


Bank Interface 
Technology 


1519 


Bank Interface calls HSM OS Driver to sign request. 


OS-API 


1520 


HSM OS Driver calls HSM to sign request. 


OS-Level 
Hardware Call 
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1521 


HSM OS Driver returns signed request to Bank Interface 


OS-API 


1522 


Bank Interface calls the Relvina Partv's Bank 
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v veil i a i iiy/ wiaiuo 


1523 


Relying Party's Bank calls the Issuing Party's Bank. 


Warranty/OCSP 


1524 


led linn Po rK/'c Ponlf rot 1 1 rnc o cinnorl raennnco tr\ DnK/inn 

loouiuy ncuiy o dcuik returns a signeu response 10 r\eiying 
Party's Bank. 


warranty/uoor 


1525 


Relying Party's Bank calls the Root. 


Warranty/OCSP 


1526 


Root returns signed response to the Relying Party's Bank. 


Warranty/OCSP 


1527 


Relying Party's Bank returns signed response to the Bank 


Warranty/Status 


1528 


Bank Interface stores the signed data and the signed OK 
response from the relying party's bank into the Signed 
Documents repository. 


Database- 
Access API 


1529 


Bank Interface writes transaction log message. 


File I/O 


1530 


Bank Interface returns result to Web Application. 


Bank Interface 
Technology 


1531 


Web Application interprets the form post and returns the next 
page to the Web Server or an error. 


ISA 


1532 


Web Server returns the page to the Web Browser. 


HTTP 
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